A blog for the cryptography group of the University of Bristol. To enable discussion on cryptography and other matters related to our research.

Tuesday, March 4, 2014

Beware – Your user agent could be a double agent!

Even though there were many interesting
talks at the RSA 2014 conference in San Francisco, including a few
discussing the recent NSA-RSA privacy drama, I chose to blog about a
short talk by Mike Shema from Qualys centering around security and
privacy on the web.

In his talk, Mike highlighted the
difference between having a secure browser and secure date.
Basically, every day we use web browsers (known as user agents
since they interact on behalf of the user) to access the web. Many
websites rely on the collection of users' data to generate their
revenue and thus as users access websites, those websites interact
with users' browsers behind the scene not always necessarily the way
the users want.

Many vendors offer big money prizes to
help them identify and mitigate security vulnerabilities in their
browsers. Although there have been many recent initiatives towards
making browsers more secure, including the advent of HTML5, we still
have not reached what we consider default stands for privacy. Vendors
have conflicting perspectives regarding not tracking users on the
web. The implementation of the recently proposed “Do Not Track”
HTTP header is one obvious example. Internet Explorer suggested that
the default value of such a field should be set to enabled so that
tracking is prevented by default unless the user decides to opt in.
On the other hand, Google Chrome had a different point of view.
Advertisers also thought such a feature would impact their
business.

Constantly, different security features are added to
browsers to make them more secure. As well as self updates, among
other things, such features include: process separation and sand boxing. Informally, the former allows different tabs/web pages to be
run as separate processes, whereas the latter limits access to user's
resources on per-application basis. As an example, latest versions of Google Chrome embed Flash on its
own.

There are many ways one can envision metrics used in
evaluating browsers' and data security or assessing whether one
browser is more secure than another or if a data set is more private
than another. On the one hand, there are Malwares (short for
malicious software) which attack browsers directly. On the other
hand, we have attacks like resources framing, Clickjacking and Cross-Site Request Forgery (CSRF). CSRF (sometimes is also
abbreviated as XSRF) allows an attacker to force the victim to send
HTTP requests to another target website and therefore making use of
any capabilities the victim has with the target website, e.g.
exploiting an existing authenticated session that the victim has with
the target website. Recently, Mozilla and Safari turned on TLS
1.1/TLS 1.2 and are using the recommended cipher suite by default to
promote network encryption which is vital for data security.

Many web pages these days are built
with multiple origins and their content comes from different sources.
Advertising, in particular, is inherently cross-origin. It was not
until about 10 years ago that the risks of mixing different contents
from multiple origins in a web page came into the fore.

Even though the Same Origin Policy
used by browsers ensures that a resource cannot read a response from
another origin, it still does not provide proper isolation of
cookies and resources across different origins and thus it does not
rule out CSRFs. More precisely, the same origin policy does not stop
a resource from one origin from making a request to another one from
a different origin.

By ensuring that websites use SSL
(Secure Socket Layer) as emphasized by the Electronic Frontier Foundation (EFF) in its “HTTPS Everywhere”
initiative, many
security vulnerabilities such as mixed content and information
leakage can be prevented. However, there have been examples of many
browsers (especially on mobile devices) which ran HTTPs but still was
vulnerable because they were skipping important steps such as
certificate validation.

In order to enhance users' data
privacy, many potential solutions could be implemented. One important
step is to impose penalties on servers which do not honour the Do Not
Track requests made by the user. Another possible countermeasure is
using data pollution where, for instance, users can swap their
cookies such as Google PREF IDs or
Double-Click cookies in
order to achieve anonymity.

In summary, there a number of ways
which could help preserve users' privacy on the web. Firstly, enabling “deny third party”
cookies as a default as done by Safari. Secondly, using identity
management and separating cookie jars in order to ensure that the
interaction of a user with one website is independent from their
interaction with another one.